Hacked Site

  • Thread starter Thread starter Pat
  • Start date Start date
P

Pat

our site was hacked over the weekend. they dropped in a default.htm
page. I'm running IIS 5 on W2k with SP4 and the latesest updates. I am
behind a sonicwall pro with the server out on the DMZ. I have the
times the file were placed on the server and am starting to look thru
the log files for info. how can a hacker do this? thru ASP or
something I'm overlooking. what can I look at to see what happened and
what I can do to harding my server?

thanks
 
Pat said:
our site was hacked over the weekend. they dropped in a default.htm
page. I'm running IIS 5 on W2k with SP4 and the latesest updates. I am
behind a sonicwall pro with the server out on the DMZ. I have the
times the file were placed on the server and am starting to look thru
the log files for info. how can a hacker do this? thru ASP or
something I'm overlooking. what can I look at to see what happened and
what I can do to harding my server?
Click to expand...

No real answer to this without knowing what the logs say. The problem with
any web server on the internet is that you have to be "lucky" hundreds of
times when it comes to patching/configuring your system to block every
possible exploit, and the other side only have to be lucky once.

Until you know more about what happened, I'd suggest keeping the server
offline and off your internal network as well, if applicable.

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.
 
if someone is able to place files on my server, would they showup with
a PUT command in the log file?
 
Pat said:
if someone is able to place files on my server, would they showup with
a PUT command in the log file?
Click to expand...

Possibly, if thats how they were placed there. But there are many other ways
to do it.
 
I've found for put records with each file placed there. do you know
what Propfind and mainframe.css do?
 
http://securityadmin.info/faq.asp#iislogs2
http://securityadmin.info/faq.asp#iislogs
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden
http://securityadmin.info/faq.asp#firewall

Generally hacking IIS happens because you were missing patches, had poor
default configurations in place, and/or were missing a firewall. If the
hacking happened through IIS, installing the free URLScan from
www.microsoft.com/technet/security probably would have prevented it. Also
check out the Windows and IIS hardening checklists at that same URL. If the
hacking was done through an IIS buffer overflow or was not done through IIS
at all, or the attacker was able to delete your log files, you would not see
anything in the IIS logs. You may want to check your firewall logs [you do
have a firewall, right? there are even free ones out there] and consider a
file change checker like the free SIM from www.gfi.com
 
I've found for put records with each file placed there. do you know
what Propfind and mainframe.css do?
Click to expand...

mainframe.css appears to be a content style-sheet

Propfind is apparently a WebDav method...

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/
_webdav_propfind.asp

"
The WebDAV PROPFIND Method retrieves properties for a resource identified by
the request Uniform Resource Identifier (URI). The PROPFIND Method can be used
on collection and property resources.
"


I believe there were also some recent patches for WebDav via Windows Update...


--
..:~*^*~:.:~*^*:..:~*^*~:.:~*^*~:.:~*^*~:.

"We're in the pipe... 5 by 5..."

shades2 (Perth, WA)
http://www.iinet.net.au/~shades2

PGP Public Keys:
http://members.iinet.net.au/~shades2/pgpkey.html

Making life hard for Spammers with:

(e-mail address removed), (e-mail address removed), (e-mail address removed), (e-mail address removed),
(e-mail address removed), (e-mail address removed), (e-mail address removed), (e-mail address removed),
(e-mail address removed)
 
Thanks for the responses and links everybody

http://securityadmin.info/faq.asp#iislogs2
http://securityadmin.info/faq.asp#iislogs
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden
http://securityadmin.info/faq.asp#firewall

Generally hacking IIS happens because you were missing patches, had poor
default configurations in place, and/or were missing a firewall. If the
hacking happened through IIS, installing the free URLScan from
www.microsoft.com/technet/security probably would have prevented it. Also
check out the Windows and IIS hardening checklists at that same URL. If the
hacking was done through an IIS buffer overflow or was not done through IIS
at all, or the attacker was able to delete your log files, you would not see
anything in the IIS logs. You may want to check your firewall logs [you do
have a firewall, right? there are even free ones out there] and consider a
file change checker like the free SIM from www.gfi.com


Pat said:
our site was hacked over the weekend. they dropped in a default.htm
page. I'm running IIS 5 on W2k with SP4 and the latesest updates. I am
behind a sonicwall pro with the server out on the DMZ. I have the
times the file were placed on the server and am starting to look thru
the log files for info. how can a hacker do this? thru ASP or
something I'm overlooking. what can I look at to see what happened and
what I can do to harding my server?

thanks
Click to expand...
Click to expand...
 
I have SP4 on the W2K box with all the latest patches, running
sonicwall pro with server out on the dmz. I tried the links but they
are not woking.

http://securityadmin.info/faq.asp#iislogs2
http://securityadmin.info/faq.asp#iislogs
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden
http://securityadmin.info/faq.asp#firewall

Generally hacking IIS happens because you were missing patches, had poor
default configurations in place, and/or were missing a firewall. If the
hacking happened through IIS, installing the free URLScan from
www.microsoft.com/technet/security probably would have prevented it. Also
check out the Windows and IIS hardening checklists at that same URL. If the
hacking was done through an IIS buffer overflow or was not done through IIS
at all, or the attacker was able to delete your log files, you would not see
anything in the IIS logs. You may want to check your firewall logs [you do
have a firewall, right? there are even free ones out there] and consider a
file change checker like the free SIM from www.gfi.com


Pat said:
our site was hacked over the weekend. they dropped in a default.htm
page. I'm running IIS 5 on W2k with SP4 and the latesest updates. I am
behind a sonicwall pro with the server out on the DMZ. I have the
times the file were placed on the server and am starting to look thru
the log files for info. how can a hacker do this? thru ASP or
something I'm overlooking. what can I look at to see what happened and
what I can do to harding my server?

thanks
Click to expand...
Click to expand...
 
Hi Pat,

Thanks for posting here! I am sorry to hear the difficutlies you
encountered.

As Robert mentioned before, there may various methods for hackers to attack
an unsecure web site. So it may be not easy for us to tell how they put the
file in your web site.

The Propfind command is an webdav method which retrieves properties for a
resource identified by the request Uniform Resource Identifier (URI). In
this case, it seems that you enabled WebDAV Publishing on your web site. As
Basic authentication is used by WebDAV by default and the username and
password are transferred in plain text during basic authentication, I am
afraid that this may be the cause that this issue ocurred.

I would like to confirm whether WebDAV is necessary for your web site. If
not, you may refer to the following KB article to disable it in IIS:
241520 How to Disable WebDAV for IIS 5.0
http://support.microsoft.com/?id=241520

If you need WebDAV publishing, it is suggested that you use SSL with basic
authentication for WebDAV publishing. To do so, please refer to the
following KB article:
323470 HOW TO: Create a Secure WebDAV Publishing Directory
http://support.microsoft.com/?id=323470

Moreover, you may want to use IIS Lockdown and URLScan tools to configure
Web servers in secure. For your convenience, I included the following
WebCast which provide an overview for administrators about how to use these
tools.
817807 Support WebCast: Internet Information Services: Configuring IIS Using
http://support.microsoft.com/?id=817807

If you have any further concerns, please post into the following group for
more info:
microsoft.public.inetserver.iis.security

I hope this info helps!

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Sun, 25 Jan 2004 18:52:48 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.
phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20432
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I've found for put records with each file placed there. do you know
| what Propfind and mainframe.css do?
|
| On Sun, 25 Jan 2004 22:46:48 -0000, "Robert Moir" <[email protected]>
| wrote:
|
| >Pat wrote:
| >> if someone is able to place files on my server, would they showup with
| >> a PUT command in the log file?
| >
| >Possibly, if thats how they were placed there. But there are many other
ways
| >to do it.
| >
|
|
 
Pat said:
I've found for put records with each file placed there. do you know
what Propfind and mainframe.css do?
Click to expand...

You've got good answers about these file names specifically since you posted
that so I won't repeat them, but keep in mind that someone could give a file
any name, you can't judge a book by its cover with this stuff. Also, they
may have tidied up and removed most of the obvious signs of what they did
after they had finished altering your homepage.
 
Kyle,
thank you for the information

Hi Pat,

Thanks for posting here! I am sorry to hear the difficutlies you
encountered.

As Robert mentioned before, there may various methods for hackers to attack
an unsecure web site. So it may be not easy for us to tell how they put the
file in your web site.

The Propfind command is an webdav method which retrieves properties for a
resource identified by the request Uniform Resource Identifier (URI). In
this case, it seems that you enabled WebDAV Publishing on your web site. As
Basic authentication is used by WebDAV by default and the username and
password are transferred in plain text during basic authentication, I am
afraid that this may be the cause that this issue ocurred.

I would like to confirm whether WebDAV is necessary for your web site. If
not, you may refer to the following KB article to disable it in IIS:
241520 How to Disable WebDAV for IIS 5.0
http://support.microsoft.com/?id=241520

If you need WebDAV publishing, it is suggested that you use SSL with basic
authentication for WebDAV publishing. To do so, please refer to the
following KB article:
323470 HOW TO: Create a Secure WebDAV Publishing Directory
http://support.microsoft.com/?id=323470

Moreover, you may want to use IIS Lockdown and URLScan tools to configure
Web servers in secure. For your convenience, I included the following
WebCast which provide an overview for administrators about how to use these
tools.
817807 Support WebCast: Internet Information Services: Configuring IIS Using
http://support.microsoft.com/?id=817807

If you have any further concerns, please post into the following group for
more info:
microsoft.public.inetserver.iis.security

I hope this info helps!

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Sun, 25 Jan 2004 18:52:48 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.
phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20432
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I've found for put records with each file placed there. do you know
| what Propfind and mainframe.css do?
|
| On Sun, 25 Jan 2004 22:46:48 -0000, "Robert Moir" <[email protected]>
| wrote:
|
| >Pat wrote:
| >> if someone is able to place files on my server, would they showup with
| >> a PUT command in the log file?
| >
| >Possibly, if thats how they were placed there. But there are many other
ways
| >to do it.
| >
|
|
Click to expand...
 
Kyle,
how is webdav enabled?

Hi Pat,

Thanks for posting here! I am sorry to hear the difficutlies you
encountered.

As Robert mentioned before, there may various methods for hackers to attack
an unsecure web site. So it may be not easy for us to tell how they put the
file in your web site.

The Propfind command is an webdav method which retrieves properties for a
resource identified by the request Uniform Resource Identifier (URI). In
this case, it seems that you enabled WebDAV Publishing on your web site. As
Basic authentication is used by WebDAV by default and the username and
password are transferred in plain text during basic authentication, I am
afraid that this may be the cause that this issue ocurred.

I would like to confirm whether WebDAV is necessary for your web site. If
not, you may refer to the following KB article to disable it in IIS:
241520 How to Disable WebDAV for IIS 5.0
http://support.microsoft.com/?id=241520

If you need WebDAV publishing, it is suggested that you use SSL with basic
authentication for WebDAV publishing. To do so, please refer to the
following KB article:
323470 HOW TO: Create a Secure WebDAV Publishing Directory
http://support.microsoft.com/?id=323470

Moreover, you may want to use IIS Lockdown and URLScan tools to configure
Web servers in secure. For your convenience, I included the following
WebCast which provide an overview for administrators about how to use these
tools.
817807 Support WebCast: Internet Information Services: Configuring IIS Using
http://support.microsoft.com/?id=817807

If you have any further concerns, please post into the following group for
more info:
microsoft.public.inetserver.iis.security

I hope this info helps!

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Sun, 25 Jan 2004 18:52:48 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.
phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20432
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I've found for put records with each file placed there. do you know
| what Propfind and mainframe.css do?
|
| On Sun, 25 Jan 2004 22:46:48 -0000, "Robert Moir" <[email protected]>
| wrote:
|
| >Pat wrote:
| >> if someone is able to place files on my server, would they showup with
| >> a PUT command in the log file?
| >
| >Possibly, if thats how they were placed there. But there are many other
ways
| >to do it.
| >
|
|
Click to expand...
 
Hi Pat,

Thanks for the update.

WebDAV is enabled by default on IIS5. Considering the possible security
risk, it is disabled since IIS 6.

For IIS 5, as I suggested before, you can disable it if it is not necessary
for your web site. If you need WebDAV, please use IIS Lockdown and URLscan
utility to keep your web site in secure.

If you have any futher concerns, please feel free to let me know.

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Mon, 26 Jan 2004 19:32:00 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.
phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20552
| X-Tomcat-NG: microsoft.public.win2000.security
|
|
| Kyle,
| how is webdav enabled?
|
| On Mon, 26 Jan 2004 16:02:05 GMT, (e-mail address removed) ("Kyle
| Cui [MSFT]") wrote:
|
| >Hi Pat,
| >
| >Thanks for posting here! I am sorry to hear the difficutlies you
| >encountered.
| >
| >As Robert mentioned before, there may various methods for hackers to
attack
| >an unsecure web site. So it may be not easy for us to tell how they put
the
| >file in your web site.
| >
| >The Propfind command is an webdav method which retrieves properties for
a
| >resource identified by the request Uniform Resource Identifier (URI). In
| >this case, it seems that you enabled WebDAV Publishing on your web site.
As
| >Basic authentication is used by WebDAV by default and the username and
| >password are transferred in plain text during basic authentication, I am
| >afraid that this may be the cause that this issue ocurred.
| >
| >I would like to confirm whether WebDAV is necessary for your web site.
If
| >not, you may refer to the following KB article to disable it in IIS:
| >241520 How to Disable WebDAV for IIS 5.0
| >http://support.microsoft.com/?id=241520
| >
| >If you need WebDAV publishing, it is suggested that you use SSL with
basic
| >authentication for WebDAV publishing. To do so, please refer to the
| >following KB article:
| >323470 HOW TO: Create a Secure WebDAV Publishing Directory
| >http://support.microsoft.com/?id=323470
| >
| >Moreover, you may want to use IIS Lockdown and URLScan tools to
configure
| >Web servers in secure. For your convenience, I included the following
| >WebCast which provide an overview for administrators about how to use
these
| >tools.
| >817807 Support WebCast: Internet Information Services: Configuring IIS
Using
| >http://support.microsoft.com/?id=817807
| >
| >If you have any further concerns, please post into the following group
for
| >more info:
| >microsoft.public.inetserver.iis.security
| >
| >I hope this info helps!
| >
| >Have a great day!
| >
| >Thanks & Regards,
| >
| >Kyle Cui
| >Microsoft Online Partner Support
| >MCSE2000, MCDBA2000
| >
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and confers no
rights.
| >--------------------
| >| From: Pat <[email protected]>
| >| Subject: Re: Hacked Site
| >| Date: Sun, 25 Jan 2004 18:52:48 -0500
| >| Message-ID: <[email protected]>
| >| References: <[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><#8#[email protected]>
| >| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| >| MIME-Version: 1.0
| >| Content-Type: text/plain; charset=us-ascii
| >| Content-Transfer-Encoding: 7bit
| >| Newsgroups: microsoft.public.win2000.security
| >| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| >| Lines: 1
| >| Path:
|
 
thanks for the response
Hi Pat,

Thanks for the update.

WebDAV is enabled by default on IIS5. Considering the possible security
risk, it is disabled since IIS 6.

For IIS 5, as I suggested before, you can disable it if it is not necessary
for your web site. If you need WebDAV, please use IIS Lockdown and URLscan
utility to keep your web site in secure.

If you have any futher concerns, please feel free to let me know.

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Mon, 26 Jan 2004 19:32:00 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.
phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20552
| X-Tomcat-NG: microsoft.public.win2000.security
|
|
| Kyle,
| how is webdav enabled?
|
| On Mon, 26 Jan 2004 16:02:05 GMT, (e-mail address removed) ("Kyle
| Cui [MSFT]") wrote:
|
| >Hi Pat,
| >
| >Thanks for posting here! I am sorry to hear the difficutlies you
| >encountered.
| >
| >As Robert mentioned before, there may various methods for hackers to
attack
| >an unsecure web site. So it may be not easy for us to tell how they put
the
| >file in your web site.
| >
| >The Propfind command is an webdav method which retrieves properties for
a
| >resource identified by the request Uniform Resource Identifier (URI). In
| >this case, it seems that you enabled WebDAV Publishing on your web site.
As
| >Basic authentication is used by WebDAV by default and the username and
| >password are transferred in plain text during basic authentication, I am
| >afraid that this may be the cause that this issue ocurred.
| >
| >I would like to confirm whether WebDAV is necessary for your web site.
If
| >not, you may refer to the following KB article to disable it in IIS:
| >241520 How to Disable WebDAV for IIS 5.0
| >http://support.microsoft.com/?id=241520
| >
| >If you need WebDAV publishing, it is suggested that you use SSL with
basic
| >authentication for WebDAV publishing. To do so, please refer to the
| >following KB article:
| >323470 HOW TO: Create a Secure WebDAV Publishing Directory
| >http://support.microsoft.com/?id=323470
| >
| >Moreover, you may want to use IIS Lockdown and URLScan tools to
configure
| >Web servers in secure. For your convenience, I included the following
| >WebCast which provide an overview for administrators about how to use
these
| >tools.
| >817807 Support WebCast: Internet Information Services: Configuring IIS
Using
| >http://support.microsoft.com/?id=817807
| >
| >If you have any further concerns, please post into the following group
for
| >more info:
| >microsoft.public.inetserver.iis.security
| >
| >I hope this info helps!
| >
| >Have a great day!
| >
| >Thanks & Regards,
| >
| >Kyle Cui
| >Microsoft Online Partner Support
| >MCSE2000, MCDBA2000
| >
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and confers no
rights.
| >--------------------
| >| From: Pat <[email protected]>
| >| Subject: Re: Hacked Site
| >| Date: Sun, 25 Jan 2004 18:52:48 -0500
| >| Message-ID: <[email protected]>
| >| References: <[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><#8#[email protected]>
| >| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| >| MIME-Version: 1.0
| >| Content-Type: text/plain; charset=us-ascii
| >| Content-Transfer-Encoding: 7bit
| >| Newsgroups: microsoft.public.win2000.security
| >| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| >| Lines: 1
| >| Path:
|
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
Click to expand...
Click to expand...
 
if someone got in my site using the propfind command, would they need
an user account, if so how would they get that?

Hi Pat,

Thanks for the update.

WebDAV is enabled by default on IIS5. Considering the possible security
risk, it is disabled since IIS 6.

For IIS 5, as I suggested before, you can disable it if it is not necessary
for your web site. If you need WebDAV, please use IIS Lockdown and URLscan
utility to keep your web site in secure.

If you have any futher concerns, please feel free to let me know.

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Mon, 26 Jan 2004 19:32:00 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.
phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20552
| X-Tomcat-NG: microsoft.public.win2000.security
|
|
| Kyle,
| how is webdav enabled?
|
| On Mon, 26 Jan 2004 16:02:05 GMT, (e-mail address removed) ("Kyle
| Cui [MSFT]") wrote:
|
| >Hi Pat,
| >
| >Thanks for posting here! I am sorry to hear the difficutlies you
| >encountered.
| >
| >As Robert mentioned before, there may various methods for hackers to
attack
| >an unsecure web site. So it may be not easy for us to tell how they put
the
| >file in your web site.
| >
| >The Propfind command is an webdav method which retrieves properties for
a
| >resource identified by the request Uniform Resource Identifier (URI). In
| >this case, it seems that you enabled WebDAV Publishing on your web site.
As
| >Basic authentication is used by WebDAV by default and the username and
| >password are transferred in plain text during basic authentication, I am
| >afraid that this may be the cause that this issue ocurred.
| >
| >I would like to confirm whether WebDAV is necessary for your web site.
If
| >not, you may refer to the following KB article to disable it in IIS:
| >241520 How to Disable WebDAV for IIS 5.0
| >http://support.microsoft.com/?id=241520
| >
| >If you need WebDAV publishing, it is suggested that you use SSL with
basic
| >authentication for WebDAV publishing. To do so, please refer to the
| >following KB article:
| >323470 HOW TO: Create a Secure WebDAV Publishing Directory
| >http://support.microsoft.com/?id=323470
| >
| >Moreover, you may want to use IIS Lockdown and URLScan tools to
configure
| >Web servers in secure. For your convenience, I included the following
| >WebCast which provide an overview for administrators about how to use
these
| >tools.
| >817807 Support WebCast: Internet Information Services: Configuring IIS
Using
| >http://support.microsoft.com/?id=817807
| >
| >If you have any further concerns, please post into the following group
for
| >more info:
| >microsoft.public.inetserver.iis.security
| >
| >I hope this info helps!
| >
| >Have a great day!
| >
| >Thanks & Regards,
| >
| >Kyle Cui
| >Microsoft Online Partner Support
| >MCSE2000, MCDBA2000
| >
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and confers no
rights.
| >--------------------
| >| From: Pat <[email protected]>
| >| Subject: Re: Hacked Site
| >| Date: Sun, 25 Jan 2004 18:52:48 -0500
| >| Message-ID: <[email protected]>
| >| References: <[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><#8#[email protected]>
| >| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| >| MIME-Version: 1.0
| >| Content-Type: text/plain; charset=us-ascii
| >| Content-Transfer-Encoding: 7bit
| >| Newsgroups: microsoft.public.win2000.security
| >| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| >| Lines: 1
| >| Path:
|
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
Click to expand...
Click to expand...
 
Thanks for your reply, Pat!

As we discussed before, basic authentication is used by WebDAV by default,
so the username and password are transferred in plain text during basic
authentication (without SSL involved). In this situation, it is easy for an
attacker to trace your network traffic and find the username and password.
That's why I suggested before, when you would like to use WebDAV, you need
use SSL with basic authentication. For your convenience, I included the
following link to the KB about about to use SSL for WebDAV again:
323470 HOW TO: Create a Secure WebDAV Publishing Directory
http://support.microsoft.com/?id=323470

Moreover, when you publish your web site to the Internet, please make sure
that you use IIS Lockdown and URLscan to protect your web site. More info
here:
817807 Support WebCast: Internet Information Services: Configuring IIS Using
http://support.microsoft.com/?id=817807

Hope this helps to explain.

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Tue, 27 Jan 2004 14:17:22 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.
phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20606
| X-Tomcat-NG: microsoft.public.win2000.security
|
| if someone got in my site using the propfind command, would they need
| an user account, if so how would they get that?
|
| On Tue, 27 Jan 2004 17:37:22 GMT, (e-mail address removed) ("Kyle
| Cui [MSFT]") wrote:
|
| >Hi Pat,
| >
| >Thanks for the update.
| >
| >WebDAV is enabled by default on IIS5. Considering the possible security
| >risk, it is disabled since IIS 6.
| >
| >For IIS 5, as I suggested before, you can disable it if it is not
necessary
| >for your web site. If you need WebDAV, please use IIS Lockdown and
URLscan
| >utility to keep your web site in secure.
| >
| >If you have any futher concerns, please feel free to let me know.
| >
| >Have a great day!
| >
| >Thanks & Regards,
| >
| >Kyle Cui
| >Microsoft Online Partner Support
| >MCSE2000, MCDBA2000
| >
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and confers no
rights.
| >--------------------
| >| From: Pat <[email protected]>
| >| Subject: Re: Hacked Site
| >| Date: Mon, 26 Jan 2004 19:32:00 -0500
| >| Message-ID: <[email protected]>
| >| References: <[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><#8#[email protected]>
| ><[email protected]>
| ><[email protected]>
| >| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| >| MIME-Version: 1.0
| >| Content-Type: text/plain; charset=us-ascii
| >| Content-Transfer-Encoding: 7bit
| >| Newsgroups: microsoft.public.win2000.security
| >| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| >| Lines: 1
| >| Path:
|
 
thanks for all the help.

Thanks for your reply, Pat!

As we discussed before, basic authentication is used by WebDAV by default,
so the username and password are transferred in plain text during basic
authentication (without SSL involved). In this situation, it is easy for an
attacker to trace your network traffic and find the username and password.
That's why I suggested before, when you would like to use WebDAV, you need
use SSL with basic authentication. For your convenience, I included the
following link to the KB about about to use SSL for WebDAV again:
323470 HOW TO: Create a Secure WebDAV Publishing Directory
http://support.microsoft.com/?id=323470

Moreover, when you publish your web site to the Internet, please make sure
that you use IIS Lockdown and URLscan to protect your web site. More info
here:
817807 Support WebCast: Internet Information Services: Configuring IIS Using
http://support.microsoft.com/?id=817807

Hope this helps to explain.

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Tue, 27 Jan 2004 14:17:22 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.
phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20606
| X-Tomcat-NG: microsoft.public.win2000.security
|
| if someone got in my site using the propfind command, would they need
| an user account, if so how would they get that?
|
| On Tue, 27 Jan 2004 17:37:22 GMT, (e-mail address removed) ("Kyle
| Cui [MSFT]") wrote:
|
| >Hi Pat,
| >
| >Thanks for the update.
| >
| >WebDAV is enabled by default on IIS5. Considering the possible security
| >risk, it is disabled since IIS 6.
| >
| >For IIS 5, as I suggested before, you can disable it if it is not
necessary
| >for your web site. If you need WebDAV, please use IIS Lockdown and
URLscan
| >utility to keep your web site in secure.
| >
| >If you have any futher concerns, please feel free to let me know.
| >
| >Have a great day!
| >
| >Thanks & Regards,
| >
| >Kyle Cui
| >Microsoft Online Partner Support
| >MCSE2000, MCDBA2000
| >
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and confers no
rights.
| >--------------------
| >| From: Pat <[email protected]>
| >| Subject: Re: Hacked Site
| >| Date: Mon, 26 Jan 2004 19:32:00 -0500
| >| Message-ID: <[email protected]>
| >| References: <[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><#8#[email protected]>
| ><[email protected]>
| ><[email protected]>
| >| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| >| MIME-Version: 1.0
| >| Content-Type: text/plain; charset=us-ascii
| >| Content-Transfer-Encoding: 7bit
| >| Newsgroups: microsoft.public.win2000.security
| >| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| >| Lines: 1
| >| Path:
|
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08
Click to expand...
Click to expand...
 
My pleasure, Pat! Hope to assist you here again in the future.

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Wed, 28 Jan 2004 09:27:33 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.
phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20668
| X-Tomcat-NG: microsoft.public.win2000.security
|
| thanks for all the help.
|
| On Wed, 28 Jan 2004 09:02:01 GMT, (e-mail address removed) ("Kyle
| Cui [MSFT]") wrote:
|
| >Thanks for your reply, Pat!
| >
| >As we discussed before, basic authentication is used by WebDAV by
default,
| >so the username and password are transferred in plain text during basic
| >authentication (without SSL involved). In this situation, it is easy for
an
| >attacker to trace your network traffic and find the username and
password.
| >That's why I suggested before, when you would like to use WebDAV, you
need
| >use SSL with basic authentication. For your convenience, I included the
| >following link to the KB about about to use SSL for WebDAV again:
| >323470 HOW TO: Create a Secure WebDAV Publishing Directory
| >http://support.microsoft.com/?id=323470
| >
| >Moreover, when you publish your web site to the Internet, please make
sure
| >that you use IIS Lockdown and URLscan to protect your web site. More
info
| >here:
| >817807 Support WebCast: Internet Information Services: Configuring IIS
Using
| >http://support.microsoft.com/?id=817807
| >
| >Hope this helps to explain.
| >
| >Have a great day!
| >
| >Thanks & Regards,
| >
| >Kyle Cui
| >Microsoft Online Partner Support
| >MCSE2000, MCDBA2000
| >
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and confers no
rights.
| >--------------------
| >| From: Pat <[email protected]>
| >| Subject: Re: Hacked Site
| >| Date: Tue, 27 Jan 2004 14:17:22 -0500
| >| Message-ID: <[email protected]>
| >| References: <[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><#8#[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><[email protected]>
| >| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| >| MIME-Version: 1.0
| >| Content-Type: text/plain; charset=us-ascii
| >| Content-Transfer-Encoding: 7bit
| >| Newsgroups: microsoft.public.win2000.security
| >| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| >| Lines: 1
| >| Path:
|
 
Back
Top